Latest revision as of 13:33, 13 April 2010

Metadata is data about data. Metadata plays a number of important roles in computer forensics:

It can provide corroborating information about the document data itself.

It can reveal information that someone tried to hide, delete, or obscure.

It can be used to automatically correlate documents from different sources.

Since metadata is fundamentally data, it suffers all of the data quality and pedigre issues as any other form of data. Nevertheless, because metadata isn't generally visible unless you use a special tool, more skill is required to alter or otherwise manipulate it.

Kinds of Metadata

Digital image metadata. Although information such as the image size and number of colors are technically metadata, JPEG and other file formats store additional data about the photo or the device that acquired it.

Document metadata, such as the creator of a document, it's last print time, etc.

File types that support metadata and extraction tools

Below are some common data and metadata formats, the files in which they are found, and a collection of tools that can be used to extract information.

The Exchangeable Image File format describes a format for a block of data that can be embedded into JPEG and TIFF image files, as well as RIFF WAVE audio files. Information includes date and time information, camera settings, location information, textual descriptions, and copyright information.

Implemented as a small block of data stored at the end of MP3 files. ID3v1 is a 128-byte block in a specified format allowing 30 bytes for song, artist and album, 4 bytes for year, 30 bytes for comment, and 1 byte for genre. ID3v1.1 adds a track number. ID3v2 is a general container structure. For more information, see [1].

Microsoft Office document files contain a huge amount of metadata. They are created as OLE Compound Files and mainly stored in the so called property set streams. Here are some tools for processing them: